Nmap ("Network Mapper") is an free open source utility for network exploration, administration, and security auditing. It uses IP packets in novel ways to determine which hosts are available online (host discovery), which TCP/UDP ports are open (port scanning), and what applications and services are listening on each port (version detection). It can also identify remote host OS and device types via TCP/IP fingerprinting. Nmap offers flexible target and port specifications, decoy/stealth scanning for firewall and IDS evasion, and highly optimized timing algorithms for fast scanning. Nmap runs on all popular operating systems, including Linux, Windows, Mac OS X, FreeBSD, Solaris, and OpenBSD. Download command-line or graphical versions of Nmap and its documentation from Insecure.Org.
Nmap has been named "Security Product of the Year" by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It has also been praised by Wired, Information Security, BBC, Network World, Slashdot, 2600, SANS, Info World, Microsoft, Google, Computer World, Sun World, Phrack, and more. At least three movies have featured Nmap, including Battle Royale ( [Screen1] [Screen2] [Trivia]), HaXXXor Vol. 1, and some science fiction flick. Walmart is currently selling an Nmap hacker chair.
As free software, we don't have any sort of advertising budget. So pleasse spread the word that Nmap 4 is now available!
Nmap has undergone many substantial changes since our last major release (3.50 in February 2004) and we recommend that all current users upgrade. Here are the most important improvements made in the 36 intermediate releases since 3.50 (See the ChangeLog for a much more detailed list):
- Added the ability for Nmap to send and properly route raw ethernet
frames containing IP datagrams rather than always sending the
packets via raw sockets. This is particularly useful for Windows,
since Microsoft has disabled raw socket support in XP. Nmap tries
to choose the best method at runtime based on platform, though you
can override it with the new
- Added ARP scanning (-PR). Nmap can now send raw ethernet ARP
requests to determine whether hosts on a LAN are up, rather than
relying on higher-level IP packets (which can only be sent after a
successful ARP request and reply anyway). This is much faster and
more reliable (not subject to IP-level firewalling) than IP-based
probes. It is now used automatically for any hosts that are
detected to be on a local ethernet network, unless
- Added the
--spoof-macoption, which asks Nmap to use the given MAC address for all of the raw ethernet frames it sends. Valid
--spoof-macargument examples are "
0020F2", and "
- Rewrote core port scanning engine, which is now named ultra_scan(). Improved algorithms make this faster (often dramatically so) in almost all cases. Not only is it superior against single hosts, but ultra_scan() can scan many hosts (sometimes hundreds) in parallel. This offers many efficiency/speed advantages. For example, hosts often limit the ICMP port unreachable packets used by UDP scans to 1/second. That made those scans extraordinarily slow in previous versions of Nmap. But if you are scanning 100 hosts at once, suddenly you can receive 100 responses per second. Spreading the scan amongst hosts is also gentler toward the target hosts.
- Overhauled UDP scan. Ports that don't respond are now classified as "open|filtered" (open or filtered) rather than "open". The (somewhat rare) ports that actually respond with a UDP packet to the empty probe are considered open. If version detection is requested, it will be performed on open|filtered ports. Any that respond to any of the UDP probes will have their status changed to open. This avoids the false-positive problem where filtered UDP ports appear to be open, leading to terrified newbies thinking their machine is infected by back orifice.
- Put Nmap on a diet, with changes to the core port scanning routine (ultra_scan) to substantially reduce memory consumption, particularly when tens of thousands of ports are scanned.
- Added 'leet ASCII art to the configurator! Note that only people compiling the UNIX source code get this. (ASCII artist unknown). If you don't like it, feel free to submit your own work.
- Wrote a new man page from scratch. It is much more comprehensive (more than twice as long) and (IMHO) better organized than the previous one. Read it online at http://nmap.org/book/man.html or docs/nmap.1 from the Nmap distribution. Let me know if you have any ideas for improving it. Translations to Chinese, French, Japanese, Brazilian Portuguese, Portugal Portuguese, and Romanian can be found on the Nmap docs page at http://nmap.org/docs.html . More than a dozen other translations are in progress. The XML source for the man page is distributed with Nmap in docs/nmap-man.xml. Patches to Nmap that are user-visible should include patches to the man page XML source rather than to the generated Nroff.
- Integrated all service submissions up to January 2006. The DB has tripled in size since 3.50 to 3,153 signatures for 381 service protocols. Those protocols span the gamut from abc, acap, afp, and afs to zebedee, zebra, and zenimaging. It even covers obscure protocols such as http, ftp, smtp, and ssh :). Thanks to Version Detection Czar Doug Hoyte for his excellent work on this. Other great probes and signatures came from Dirk Mueller (mueller(a)kde.org), Lionel Cons (lionel.cons(a)cern.ch), Martin Macok (martin.macok(a)underground.cz), and Bo Jiang (jiangbo(a)brandeis.edu). Thanks also go to the (literally) thousands of you who submitted service fingerprints. Keep them coming!
- Integrated tons of new OS detection fingerprints. The database grew more than 50% from 1,121 to 1,684 fingerprints. Notable additions include Mac OS X 10.4 (Tiger), OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along with a new "robotic pet" device type category), the latest Linux 2.6 kernels, Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64 UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO 3.8.X, and Solaris 10. Of course there are also tons of new broadband routers, printers, WAPs and pretty much any other device you can coax an ethernet cable (or wireless card) into! Much of this OS detecton work was done by Google SoC student Zhao Lei (zhaolei(a)gmail.com).
- Created a Windows executable installer using the open source NSIS (Nullsoft Scriptable Install System). It handles Pcap installation, registry performance changes, and adding Nmap to your cmd.exe executable path. The installer source files are in mswin32/nsis/ . Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for creating the initial version.
- Added run time interaction as documented at http://nmap.org/book/man-runtime-interaction.html. While Nmap is running, you can now press 'v' to increase verbosity, 'd' to increase the debugging level, 'p' to enable packet tracing, or the capital versions (V,D,P) to do the opposite. Any other key (such as enter) will print out a status message giving the estimated time until scan completion. Most of this work was done by Paul Tarjan (ptarjan(a)stanford.edu), Andrew Lutomirski (luto(a)myrealbox.com), and Gisle Vanem (giva(a)bgnett.no).
- Reverse DNS resolution is now done in parallel rather than one at a
time. All scans of large networks (particularly list, ping and
just-a-few-ports scans) benefit substantially from this change. The
--system-dnsoption was added so you can use the (slow) system resolver if you prefer that for some reason. You can specify a comma separated list of DNS server IP addresses for Nmap to use with the new
--dns-serversoption. Otherwise, Nmap looks in /etc/resolve.conf (UNIX) or the system registry (Windows) to obtain the nameservers already configured for your system. This excellent patch was written by Doug Hoyte (doug(a)hcsw.org).
- Updated NmapFE to build with GTK2 rather than obsolete GTK1. Thanks to Priit Laes (amd(a)store20.com), Mike Basinger (dbasinge(a)speakeasy.net) and Meethune Bhowmick (meethune(a)oss-institute.org) for developing the patch. GTK2 is prettier, more functional, and actually exists on most modern Linux distributions (many of which removed GTK1 long ago).
- Added the
--badsumoption, which causes Nmap to use invalid TCP or UDP checksums for packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received are likely coming from a firewall or IDS that didn't bother to verify the checksum. For more details on this technique, see http://www.phrack.org/phrack/60/p60-0x0c.txt . The author of that paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch (which I changed it a bit).
- The 26 Nmap commands that previously included an underscore
--host-timeout,etc.) have been renamed to use a hyphen in the preferred format (i.e.
--max-rtt-timeout).Underscores are still supported for backward compatibility.
--max-retriesoption for capping the maximum number of retransmissions the port scan engine will do. The value may be as low as 0 (no retransmits). A low value can increase speed, though at the risk of losing accuracy. The -T4 option now allows up to 6 retries, and -T5 allows 2. Thanks to Martin Macok (martin.macok(a)underground.cz) for writing the initial patch.
- Many of the Nmap low-level timing options take a value in
milliseconds. You can now append an 's', 'm', or 'h' to the value
to give it in seconds, minutes, or hours instead. So you can specify a
45 minute host timeout with
--host-timeout45m rather than specifying
--host-timeout2700000 and hoping you did the math right and have the correct number of zeros. This also now works for the
- Wrote a new Nmap compilation, installation, and removal guide, which you can find at http://nmap.org/book/install.html .
- Made some changes to allow source port zero scans (-g0). Nmap used to refuse to do this, but now it just gives a warning that it may not work on all systems. It seems to work fine on my Linux box. Thanks to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.
- Applied some small fixes so that Nmap compiles with Visual C++ 2005 Express, which is free from Microsoft at http://msdn.microsoft.com/vstudio/express/visualc/ . Thanks to KX (kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)
- Wrote a new "help screen", which you get when running Nmap without arguments. It is also reproduced in the man page and at http://nmap.org/data/nmap.usage.txt . I gave up trying to fit it within a 25-line, 80-column terminal window. It is now 78 lines and summarizes all but the most obscure Nmap options.
- Added OS, device type, and hostname detection using the service detection framework. Many services print a hostname, which may be different than DNS. The services often give more away as well. If Nmap detects IIS, it reports an OS family of "Windows". If it sees HP JetDirect telnetd, it reports a device type of "printer". Rather than try to combine TCP/IP stack fingerprinting and service OS fingerprinting, they are both printed. After all, they could legitimately be different. An IP that gives a stack fingerprint match of "Linksys WRT54G broadband router" and a service fingerprint of Windows based on Kazaa running is likely a common NAT setup rather than an Nmap mistake.
- Overhauled the Nmap version detection guide and posted it at http://nmap.org/book/vscan.html .
- Service/version detection now handles multiple hosts at once for more efficient and less-intrusive operation.
- Added "rarity" feature to Nmap version detection. This causes
obscure probes to be skipped when they are unlikely to help. Each
probe now has a "rarity" value. Probes that detect dozens of
services such as GenericLines and GetRequest have rarity values of
1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
When interrogating a port, Nmap always tries probes registered to
that port number. So even WWWOFFLEctrlstat will be tried against
port 8081 and mydoom will be tried against open ports between 3127
and 3198. If none of the registered ports find a match, Nmap tries
probes that have a rarity less than or equal to its current
intensity level. The intensity level defaults to 7 (so that most of
the probes are done). You can set the intensity level with the new
--version-intensityoption. Alternatively, you can just use
--version-allwhich set the intensity to 2 (only try the most important probes and ones registered to the port number) and 9 (try all probes), respectively.
--version-lightis much faster than default version detection, but also a bit less likely to find a match. This feature was designed and implemented by Doug Hoyte (doug(a)hcsw.org).
- Added a "fallback" feature to the nmap-service-probes database. This allows a probe to "inherit" match lines from other probes. It is currently only used for the HTTPOptions, RTSPRequest, and SSLSessionReq probes to inherit all of the match lines from GetRequest. Some servers don't respond to the Nmap GetRequest (for example because it doesn't include a Host: line) but they do respond to some of those other 3 probes in ways that GetRequest match lines are general enough to match. The fallback construct allows us to benefit from these matches without repeating hundreds of signatures in the file. This is another feature designed and implemented by Doug Hoyte (doug(a)hcsw.org).
- Added "exclude" directive to nmap-service-probes grammar which
causes version detection to skip listed ports. This is helpful for
ports such as 9100. Some printers simply print any data sent to
that port, leading to pages of HTTP requests, SMB queries, X Windows
probes, etc. If you really want to scan all ports, specify
--allports.This patch came from Doug Hoyte (doug(a)hcsw.org).
- Version detection softmatches (when Nmap determines the service protocol such as smtp but isn't able to determine the app name such as Postfix) can now parse out the normal match line fields such as hostname, device type, and extra info. For example, we may not know what vendor created an sshd, but we can still parse out the protocol number. This was a patch from Doug Hoyte (doug(a)hcsw.org).
- Fixed a bunch of typos and misspellings throughout the Nmap source code (mostly in comments). This was a 625-line patch by Saint Xavier (skyxav(a)skynet.be).
- Added a stripped-down and heavily modified version of Dug Song's libdnet networking library (v. 1.10). This helps with the new raw ethernet features. My (extensive) changes are described in libdnet-stripped/NMAP_MODIFICATIONS
- Updated nmap data files (nmap-mac-prefixes, nmap-protocols, nmap-rpc) with the latest OUIs, IP protocols, and RPC program numbers, respectively.
- Updated the included libpcap from 0.7.2 to 0.9.3. This was an attempt to fix an annoying bug, which I then found was actually in my code rather than libpcap :). Also updated the included GNU shtool (to 2.0.2), LibPCRE (6.4), and the autoconf config.* files (to the latest from their CVS).
- Nmap now uses (and require) WinPcap 3.1 on Windows.
- Added MAC address printing. If Nmap receives packet from a target
machine which is on an Ethernet segment directly connected to the
scanning machine, Nmap will print out the target MAC address. Nmap
also now contains a database (derived from the official IEEE
version) which it uses to determine the vendor name of the target
ethernet interface. Here are examples from normal and XML output
(angle brackets replaced with  for HTML changelog compatibility):
MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems) [address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" /]
- The official Nmap RPM files are now compiled statically for better compatibility with other systems. X86_64 (AMD Athlon64/Opteron) binaries are now available in addition to the standard i386. NmapFE RPMs are no longer distributed by Insecure.Org.
- Nmap distribution signing has changed. Release files are now signed with a new Nmap Project GPG key (KeyID 6B9355D0). Learn more at http://nmap.org/book/install.html#inst-integrity
- Updated random scan (ip_is_reserved()) to reflect the latest IANA assignments. This to Felix Groebert (felix(a)groebert.org) and Chad Loder (cloder(a)loder.us) for sending these patches.
- Added the
--iflistoption, which prints a list of system interfaces and routes detected by Nmap.
- Removed WinIP library (and all Windows raw sockets code) since MS
has gone and broken raw sockets. Maybe packet receipt via raw
sockets will come back at some point. As part of this removal, the
--win_traceoptions have been removed.
- Added new
--privilegedcommand-line option and NMAP_PRIVILEGED environmental variable. Either of these tell Nmap to assume that the user has full privileges to execute raw packet scans, OS detection and the like. This can be useful when Linux kernel capabilities or other systems are used that allow non-root users to perform raw packet or ethernet frame manipulation. Without this flag or variable set, Nmap bails on UNIX if geteuid() is nonzero.
- Changed the RPM spec file so that if you define "static" to 1 (by
--define "static 1"to rpmbuild), static binaries are built.
- ultra_scan() now sets pseudo-random ACK values (rather than 0) for any TCP scans in which the initial probe packet has the ACK flag set. This would be the ACK, Xmas, Maimon, and Window scans.
- Fixed an integer overflow that prevented Nmap from scanning 2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans are now possible, don't expect them to finish during your bathroom break. No matter how constipated you are.
- Changed from CVS to Subversion source control system (which rocks!). Neither repository is currently public due to security paranoia.
- Nmap now ships with and installs (in the same directory as other
data files such as nmap-os-fingerprints) an XSL stylesheet for
rendering the XML output as HTML. This stylesheet was written by
Benjamin Erb ( see http://www.benjamin-erb.de/nmap/ for examples).
It supports tables, version detection, color-coded port states, and
more. The XML output has been augmented to include an
xml-stylesheet directive pointing to nmap.xsl on the local
filesystem. You can point to a different XSL file by providing the
filename or URL to the new
--stylesheetargument. Omit the xml-stylesheet directive entirely by specifying
--no-stylesheet.The XML to HTML conversion can be done with an XSLT processor such as Saxon, Sablot, or Xalan, but modern browsers can do this on the fly -- simply load the XML output file in IE or Firefox.It is often more convenient to have the stylesheet loaded from a URL rather than the local filesystem, allowing the XML to be rendered on any machine regardless of whether/where the XSL is installed. For privacy reasons (avoid loading of an external URL when you view results), Nmap uses the local filesystem by default. If you would like the latest version of the stylesheet loaded from Insecure.Org when rendering, specify
--webxml, which is a shortcut for
- If a user attempts -PO (the letter O), instead of -P0 (zero), print an error suggesting that the user is a doofus (actually it is a nice message)
- Upgraded the fragmentation option (
-fnow sets sends fragments with just 8 bytes after the IP header, while -ff sends 16 bytes to reduce the number of fragments needed. You can specify your own fragmentation offset (must be a multiple of 8) with the new
--mtuflag. Don't also specify
-fif you use
--mtu.Remember that some systems (such as Linux with connection tracking) will defragment in the kernel anyway -- so test first while sniffing with ethereal. These changes are from a patch by Martin Macok (martin.macok(a)underground.cz).
- Nmap now prints the number (and total bytes) of raw IP packets sent
and received when it completes, if verbose mode (-v) is enabled. The
report looks like:
Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)
- Added new "closed|filtered" state. This is used for Idle scan, since that scan method can't distinguish between those two states. Nmap previously just used "closed", but this is more accurate.
- Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered" instead of "open" when they fail to receive any response from the target port. After all, it could just as easily be filtered as open. This is the same change that was made to UDP scan in 3.70. Also as with UDP scan, adding version detection (-sV) will change the state from open|filtered to open if it confirms that they really are open.
- Change IP protocol scan (-sO) so that a response from the target host in any protocol at all will prove that protocol is open. As before, no response means "open|filtered", an ICMP protocol unreachable means "closed", and most other ICMP error messages mean "filtered".
- Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and UDP headers when scanning protocols 1, 6, and 17, respectively. An empty IP header is still sent for all other protocols. This should prevent the error messages such as "sendto in send_ip_packet: sendto(3, packet, 20, 0, 184.108.40.206, 16) => Operation not permitted" that Linux (and perhaps other systems) would give when they try to interpret the raw packet. This also makes it more likely that these protocols will elicit a response, proving that the protocol is "open".
- Fixed a memory leak that would generally consume several hundred bytes per down host scanned. While the effect for most scans is negligible, it was overwhelming when Scott Carlson (Scott.Carlson(a)schwab.com) tried to scan 16.8 million IPs (10.0.0.0/8). Thanks to him for reporting the problem. Also thanks to Valgrind ( http://valgrind.kde.org ) for making it easy to debug.
--max-scan-delayparameter. Nmap will sometimes increase the delay itself when it detects many dropped packets. For example, Solaris systems tend to respond with only one ICMP port unreachable packet per second during a UDP scan. So Nmap will try to detect this and lower its rate of UDP probes to one per second. This can provide more accurate results while reducing network congestion, but it can slow the scans down substantially. By default (with no -T options specified), Nmap allows this delay to grow to one second per probe. This option allows you to set a lower or higher maximum. The -T4 and -T5 scan modes now limit the maximum scan delay for TCP scans to 10 and 5 ms, respectively.
--max-hostgroupoption which specifies the maximum number of hosts that Nmap is allowed to scan in parallel.
--min-hostgroupoption which specifies the minimum number of hosts that Nmap should scan in parallel (there are some exceptions where Nmap will still scan smaller groups -- see man page). Of course, Nmap will try to choose efficient values even if you don't specify hostgroup restrictions explicitly.
- Nmap now estimates completion times for almost all port scan types
(any that use ultra_scan()) as well as service scan (version
detection). These are only shown in verbose mode (-v). On scans
that take more than a minute or two, you will see occasional updates
SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining) New updates are given if the estimates change significantly.
--excludeoption, which lets you specify a comma-separated list of targets (hosts, ranges, netblocks) that should be excluded from the scan. This is useful to keep from scanning yourself, your ISP, particularly sensitive hosts, etc. The new
--excludefilereads the list (newline-delimited) from a given file. All the work was done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey ( wam(a)cisco.com ), who sent me a well-designed and well-tested patch.
- Nmap now has a "port scan ping" system. If it has received at least one response from any port on the host, but has not received responses lately (usually due to filtering), Nmap will "ping" that known-good port occasionally to detect latency, packet drop rate, etc.
- Nmap now wishes itself a happy birthday when run on September 1 in verbose mode! The first public release was on that date in 1997.
- The port randomizer now has a bias toward putting commonly-accessible ports (80, 22, etc.) near the beginning of the list. Getting a response early helps Nmap calculate response times and detect packet loss, so the scan goes faster.
- Host timeout system (
--host-timeout) overhauled to support host parallelization. Hosts times are tracked separately, so a host that finishes a SYN scan quickly is not penalized for an exceptionally slow host being scanned at the same time.
- When Nmap has not received any responses from a host, it can now use certain timing values from other hosts from the same scan group. This way Nmap doesn't have to use absolute-worst-case (300bps SLIP link to Uzbekistan) round trip time and latency estimates.
- Documented the
--osscan-limitoption, which saves time by skipping OS detection if at least one open and one closed port are not found on the remote hosts. OS detection is much less reliable against such hosts anyway, and skipping it can save some time.
- Configure script now detects GNU/k*BSD (whatever that is), thanks to patches from Robert Millan (email@example.com) and Petr Salinger (Petr.Salinger(a)t-systems.cz)
- Provide limited
--packet-tracesupport for TCP connect() (-sT) scans.
- Hundreds of other features, bugfixes, and portability enhancements described at http://nmap.org/changelog.html
With this stable version out of the way, we plan to dive headfirst into the next development cycle. Many exciting features are in the queue, including a next-generation OS detection system. We also plan to launch the 2006 Nmap User Survey in February, to learn what features you want most. For the latest news, consider joining the 32,000-member low-traffic moderated Nmap-hackers list. Subscribe at http://cgi.insecure.org/mailman/listinfo/nmap-hackers, or you can read the archives at seclists.org. You can subscribe to the (high traffic) development list at http://cgi.insecure.org/mailman/listinfo/nmap-dev.
A popular open source security scanner recently went proprietary, complaining that their community never contributes much. We are sorry to hear that, but happy to report that the Nmap community is as vibrant and productive as ever! We would like to acknowledge and thank the many people who contributed ideas and/or code to this release (since 3.50). Special thanks go out to Adam Kerrison, Adam Morgan, Adriano Monteiro Marques, Alan Bishoff, Alan William Somers, Albert Chin, Allison Randal, Alok Tangoankar, Amy Hennings, Anders Thulin, Andreia Gaita, Andy Lutomirski, Annalee Newitz, Arturo Buanzo Busleiman, Bart Dopheide, Beirne Konarski, Ben Harris, Bill Dale, Bill Petersen, Bill Pollock, Bo Jiang, Brian Hatch, Chad Loder, Chris Gibson, Christophe, Craig Humphrey, Curtis Doty, Dana Epp, Dirk Mueller, Doug Hoyte, Dragos Ruiu, Dug Song, Duilio J. Protti, Eric S. Raymond, Felix Gröbert, Florian Ebner, Fyodor Yarochkin, Ganga Bhavani, Gisle Vanem, Glyn Geoghegan, Greg A. Woods, Greg Darke, Greg Taleck, Gwenole Beauchesne, HD Moore, Jedi/Sector One, Jeff Nathan, Jesse Burns, Jim Carras, Jim Harrison, Jonathan Dieter, José Domingos, Justin Cranford, Justin M Cacak, Krok, KX, Lamont Jones, Lance Spitzner, Laurent Estieux, Lionel Cons, Lucien Raven, MadHat, Marius Strobl, Mark-David McLaughlin, Mark Ruef, Martin Macok, Matthieu Verbert, Matt Selsky, Max Schubert, Meethune Bhowmick, Mephisto, Mike Basinger, Mike Hatz, Murphy, Netris, Okan Demirmen, Ole Morten Grodaas, Oliver Eikemeier, Pascal Trouvin, Paul Tarjan, Petr Salinger, Petter Reinholdtsen, pijn trein, Ping Huang, Piotr Sobolewski, Priit Laes, Princess Nadia, Raven Alder, Richard Birkett, Richard Moore, Robert E. Lee, Rob Foehl, Ronak Sutaria, Royce Williams, Ruediger Rissmann, Saint Xavier, Saravanan, Scott Mansfield, Sebastian Wolfgarten, Seth Master, Shahid Khan, Simon Burr, Simple Nomad, Sina Bahram, Solar Designer, Srivatsan, Stephane Loeuillet, Stephen Bishop, Steve Christensen, Steve Martin, Thorsten Holz, Tom Duffy, Tom Rune Flo, Tom Sellers, Tony Golding, van Hauser, vlad902, William McVey, Zapphire, and Zhao Lei.
And of course we would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.
For further information, see http://insecure.org/.